kern/38219: tmpfs rename locking meltdown

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: kern/38219: tmpfs rename locking meltdown
From: pooka%iki.fi@localhost
Date: Tue, 11 Mar 2008 14:45:00 +0000 (UTC)

>Number:         38219
>Category:       kern
>Synopsis:       tmpfs rename locking meltdown
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Mar 11 14:45:00 +0000 2008
>Originator:     Antti Kantee
>Release:        
>Organization:
>Environment:
>Description:
Due to recent changes to tmpfs_rename in current, it is easy to fool
rename to try to lock against itself.

No NetBSD release is vulnerable to the local panic DoS.
>How-To-Repeat:
cd /tmpfs ; mkdir foo foo/bar ; rename foo/bar foo
(HOX! rename, not mv(1))
>Fix:
Either a) add more indecipherable checks which break down with every
change that hasn't been meditated upon for 10 years or b) fix rename
over all file systems so that it's actually possible for a human to
implement it right.  "a" is trivial and "b" might be slightly more
difficult.

Prev by Date: Re: kern/37955: Kernel Panic NetBSD 4.0 blkfree
Next by Date: port-i386/38220: NetBSD 4.0 REL (LARGE_INSTALL) won't boot properly on HP proliant DL380 G3 (3.20 GHz uni)
Previous by Thread: Re: kern/37723: ne* AX88190 Fast Ethernet 16-bit PC Card: where did the card go? problem
Next by Thread: port-i386/38220: NetBSD 4.0 REL (LARGE_INSTALL) won't boot properly on HP proliant DL380 G3 (3.20 GHz uni)
Indexes:

Home | Main Index | Thread Index | Old Index